Sprint says Virgin Mobile users are safe from account hijacks
Downplays report by developer that accounts are easily hackable
Computerworld - Sprint today denied that subscribers of its Virgin Mobile subsidiary were wide open to account hijacking attacks as claimed by an independent software developer this week.
In emailed comments, Sprint spokeswoman Stephanie Vinge Walsh said the company has multiple safeguards to protect customer accounts from intrusion and tampering by unauthorized users.
"It's important to note that there are many different overlapping safeguards in place to ensure our customers' privacy and security, and we have taken steps to further prevent intrusions and spoofing," Walsh said. "While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place."
Walsh was responding to questions that arose from a Monday blog post by developer Kevin Burke. In it, Burke detailed how the username and password system used by Virgin Mobile to let users access their accounts online was inherently weak and open to abuse.
Virgin forces subscribers to use their phone numbers as their username and a six-digit number as their password, Burke noted.
Because the password is just six digits long, it is relatively easy to guess using brute-force password guessing tools, Burke claimed. Burke authored a password-guessing tool to crack his own password to demonstrate how easy it is to defeat Virgin Mobile's authentication. The tool was designed to test different 6-digit password combinations until it discovered the right one.
With the password and phone number, an attacker would be able to get a user's entire call records and texting history, change the handset associated with the number and change service address and password to lock the actual user out of an account, Burke wrote.
Burke said he went public with his discovery because Sprint did not fix the vulnerability after being told how easy it was to exploit. He also noted in his blog that Virgin Mobile subscribers had no easy way to mitigate any exposure to account hijacks.
In response, Sprint said it implemented a new procedure to lock out users from their accounts after four failed attempts. Burke described that move as ineffective because hackers could bypass it by making login attempts without sending any cookie data with the requests.
In her comments today, Walsh did not specifically address Burke's claims. Instead, she said the company has not received any reports of fraud affecting Virgin Mobile customers.
"We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts," Walsh said. "Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges."
Walsh offered no details on what those measures might be.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts